All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.Lol, I raised similar concerns about this behavio...
-
All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.
Lol, I raised similar concerns about this behavior a whole year ago, and people told me I had to be wrong because Mastodon wouldn't make such an obvious oversight
(my concern was about spoofing / phishing rather than XSS, but it's the same but it code at fault)
RE: https://mastodon.social/users/MastodonEngineering/statuses/114461656642664237 -
All Mastodon versions until v4.3.8 and v4.2.21 allow arbitrary user-facing URLs for remote accounts, posts, and media attachments without any verification, which can be used by attackers for XSS attacks.
Lol, I raised similar concerns about this behavior a whole year ago, and people told me I had to be wrong because Mastodon wouldn't make such an obvious oversight
(my concern was about spoofing / phishing rather than XSS, but it's the same but it code at fault)
RE: https://mastodon.social/users/MastodonEngineering/statuses/114461656642664237@hazelnoot So if I understand correctly, mastodon used to accept relative URLs in federated objects?
That does seem like a spoofing vector. I'm not sure I see the XSS risk, though
-
@hazelnoot So if I understand correctly, mastodon used to accept relative URLs in federated objects?
That does seem like a spoofing vector. I'm not sure I see the XSS risk, though
@jenniferplusplus@hachyderm.io It used to accept anything, including links to other posts on other instances. It's not spoofing like the vulns we had to fix for sharkey, but spoofing in the sense that you could direct to a phishing link or something.
-
@jenniferplusplus@hachyderm.io It used to accept anything, including links to other posts on other instances. It's not spoofing like the vulns we had to fix for sharkey, but spoofing in the sense that you could direct to a phishing link or something.
@hazelnoot I'm just reading through the patch, and it seems to me that the only change is to require that object urls are rooted with an http(s) scheme. So I'm not sure that it really mitigates that particular vector for being misleading.
-
@hazelnoot I'm just reading through the patch, and it seems to me that the only change is to require that object urls are rooted with an http(s) scheme. So I'm not sure that it really mitigates that particular vector for being misleading.
@jenniferplusplus@hachyderm.io oh, then maybe I should report that other case as well...
